 While we wait for that to wrap up. It's I'm actually up here anyway I may as well introduce as you guys met her earlier this morning, but our esteemed leader Oh, there we go. Okay No by 63 to 29% and okay and still some undecided so Well, thanks very much everyone for participating in that but anyway our esteemed leader and reslaughter Those are actually surprising numbers. I would have Higher yes than I than I actually sorry Emory may I just have one moment? Yes, sorry. Can you put back the first one? Okay, so that is from before the debate 63% say no 25% say yes Now we're gonna put up the one after 68% say no 24% say yes, great. Thank you. Thanks guys. Go ahead Emory So before I Introduce this panel. I just have to say Peter Swire and I were carol mates in college and Neither of us would ever have expected that we would be both lawyers. Yes, but both Here at the conference on cyber security at least from my point of view. No, but it was great to have him back So we're gonna we're gonna talk a little bit now about doing cyber security beyond the Beltway And this is part of a much larger initiative at New America that is called Reinventing the think tank and I won't go through the whole argument But in a nutshell it is that if you are in the business of solving public problems It is still important to get a lot of smart people together and figure out answers and feed those answers to government That's the think tank model but that is not enough and that most of the or a great deal of the Solutions to public problems are actually now coming bottom up. They're coming bottom up in cities across the country I strongly urge you to read Jim Fallows Atlantic cover for this month that is all about the renewal of America that he sees across the country after Three years and 57,000 miles in a small plane going back and forth across the country and New America is opening hubs In different cities across the country you saw Megan Garcia, who's the head of New America's CA We're now prospecting in Chicago and we'll be looking at other cities and this panel is looking at Cyber security work beyond the Beltway may seem like a shock to many of us even beyond New York Even as far as my home state of New Jersey So we are joined by Ian Wallace whom you've met who is one of the co-directors of our cyber security Project and Dave Weinstein who is one of one of our New America cyber security fellows, but also cyber security advisor to New Jersey, which is my home state So I'm gonna listen to this with particular interest. So with that I will moderate the panel And now that we've established that there is cyber security beyond the Beltway Why should we be engaged in this kind of work? So I think I mean as part of New America's cyber security initiative We've been looking at where we can add most value. So the the very basic answer is We feel that no one else is looking at this and that there's a real opportunity But the the more substantive answer is of two more substantive answers one as Information systems become more and more part of our daily lives and for anyone who heard Paul Nicklaus is fantastic presentation this morning. You will get a sense of what this means And what it's going to mean going forward That means that pretty much at every level of government policymakers are going to have to make decisions that affects cyber security that in turn affect people's lives and Just as There was beginning to be a sort of industry focusing on cyber security policy at the federal level We see an opportunity to to have a look at what's going on at the State but also at the sort of local level some some big cities and some smaller cities have some really interesting stories to tell And then the second sort of substantive point is, you know, the similar to the same as the the Rationale behind the wider reinventing the think tank initiative. There's some really interesting good work Which is happening at that level including the sort of work that Dave is doing in in New Jersey that we want to shine a light on understand Think about in the same way that think tanks, you know ought to be thinking about public policy issues, right? So Dave you've worked at both the federal level and the state level So maybe you can just start by telling us from your point of view what the differences are. Yeah, thanks So at a macro level the public sector is not that different from a cyber security Perspective whether it's the federal level that the state level or even the local level It's important to note that States and cities as well are experiencing the same level of Sophisticated threats as the federal government is in many in many respects the so-called advanced persistent threat is Present at at the state level. It's present at the local level We see it every day and as states are building more capacity around monitoring and threat detection That's starting to become more and more apparent So I think from the same people or is it just that there's the same caliber or packer sort of wherever you are in some respects, there's some correlation between the actual actors in some respects there's commonalities around the tactics and the techniques they're using and you know It's a bit counter-intuitive, but if you think about it at the end of the day, they're they're after the same thing It's it's a data-rich environment whether it's state government or federal government So when you think about the the motivations behind the IRS hack behind the OPM hack and then you consider that States and localities are probably more vulnerable than the federal level is if that's possible no offense Then then it starts to come together But I think you know, it's useful to organize our thinking around State and local cybersecurity in kind of three buckets. The first is enterprise cyber risk management so there's a lot of focus on IT security at the federal level now in the wake of OPM These are the roles and responsibilities that fall under the CISO And states are taking more steps to to deal with those issues, right? Then there's the critical infrastructure protection mission, which is really unique at the state and local level We organize ourselves in New Jersey along the same lines as the federal government with the federally designated critical infrastructure sectors But there are over 500 assets in New Jersey that fall below that threshold of criticality For the federal government, but I can assure you as a as a New Jersey resident The wastewater treatment plan in Marse in Mercer County, New Jersey is is pretty critical to the residents in the surrounding area, so There's need to look at that and then finally the whole issue of privacy and this intersects with the enterprise security mission is protecting the data of Of citizens of your state or locality. That's a responsibility that now falls in the shoulders of Public officials at the local level So I heard Tom Fanning that say this morning that you really need to think of this as physical and cyber together And as you were talking I was remembering a presentation by the head of the FBI for New Jersey back in 2004 at Princeton about, you know, just doing counter-terrorism generally, right? So attacks on exactly those kinds of critical installations and so as you say, you know the Mercer Wastewater plant or energy plant that could be just as easily You know al-Qaeda or isle or any other group as it could be cyber How closely do you work sort of with the physical side? Yeah, we look we work very closely with the physical side the challenge I think in New Jersey and states across the nation is Establishing that cross-domain functionality kind of taking a holistic look at at risk that spans the cyber domain the physical domain To evaluate threats vulnerabilities and ultimately risk To the to these assets we're working closely with the Hs to kind of Take a high-level look at the risk picture But to your point Asset owners of spending a lot of resources on physical security. They're all running SCADA systems as well So so we're we're spending a lot of time actually traveling to these facilities talking to the The control operators talking to the IT Shops in these organizations and helping them establish a baseline awareness of best practices And assist with implementation, which is probably the highest barrier And I think I'm glad right in saying There is a fair diversity across the country of how states are grappling with these issues And so one of the things that we'll want to look at is you know, how states take a large amount of Resources that they've received from the federal government to deal with counterterrorism over the last decade and a half and How that relates to the challenges that they face on cyber security and there really are no right answers But there are definitely some answers that may be better than others And there's you know, I think David's actually doing a great job in New Jersey But there are different models that that are well worth considering and you know There are there are definitely organizations like the National Governors Association and others who look at sort of Conversations across states but but not so much from a sort of public policy perspective way that I think that would So Actually Davis you were talking and talking about across departments and the difficulties across departments I was thinking oh yes as compared to the fully joined up government at the federal level We we have these problems at the state level we you have them everywhere But are there specific challenges that you encounter at the state level that you don't see at the federal level? Yeah, so one of them is and again There's variations of this happening across the federal level But where I think it's more pronounced at the state level on the enterprise Cyber security side we are extremely federated and there is very little governance in multiple states around how we Implement security controls how we share information how we respond to incidents one area where I think state and locals Are really lacking where the federal government has made a lot of progress over the last few years is the incident response realm You know actually Responding to incidents having a public set sector capability that can so-called put the the cyber fire out at the state level That's that's pretty much universally non-existent capability I think there's a lot of opportunity in the future to scale the resources of the federal government in terms of Having local or county or state level Incident response teams that can actually serve not only public sector owners and operators event infrastructure, but also Industry as well small businesses, etc. So before before I ask the Question where the clock is stuck up here. So is somebody telling me that? Thank you Yes, back to we can operate it manually actually it works very well to hold up a little sign saying we have five minutes We're going to the audience I let me let me ask you sure ask you a question On my way into New York every time and out of New York going through Elizabeth and the refinery and the closeness of that refinery To Newark Airport. Yeah, it's always been a matter of Are you working with them to make sure that they can be cyber safe? Yeah, of course So, you know, this is a New Jersey example, but it's obviously common across multiple states We have a very dense infrastructure footprint and a lot of shared infrastructure so in the case of New York Airport you're talking about a port of Port authority asset shared infrastructure between New York and New Jersey We work very closely with them And I think this this kind of introduces the opportunity and the need at the state and local level to really partner with different organizations, whether they'd be national organizations or local or industry-aligned organizations We work extremely closely with the multi-state information sharing and analysis center Which is that the ISAC four states the MS ISAC is monitoring the networks of 40 state governments and Mining that data pooling it incredible value for learning organizations at the state and local level of emergent threats Similarly, we're partnering in the information sharing space to support organizations like the port authority or or airports for example To start sharing indicators of compromise threat indicators in Automated fashion so so doing away with kind of the manually intensive processes for sharing threat intelligence and adopting universally recognized frameworks to achieve this near real-time shared situational awareness of the the cyber threat landscape so machines talking to machines exchanging threat information that's pretty close to zero day And automatically integrating that into the security architecture of our partners whether those partners be Newark Airport or the The folks who are operating the industrial control systems for the pipelines that go from Lyndon, New Jersey to lower Manhattan There's a lot of goodness in realizing Operational fiscal and technical Efficiencies through some of these partnerships the MS ISAC is one, but other vertically aligned ISACs and soon to be ISAOs Are a great place to start and that's that's where we focused our efforts So, you know that that was a great example of an answer that focuses on how you can make us safer through technology through automated You know threat Updating all the time. What about the old-fashioned way of legislation? You know one of the things we talk about all the time is we need to solve problems through computer code But legal code still has its its role is there a a project that you see of sort of you know model state Cybersecurity legislation. Yeah, I think I think there is I think a big topic here around legislation It's kind of the blocking and tackling at the state level Revolves around governance, right and what we've what we've adopted what we put in practice in New Jersey even in the absence of legislation although legislation which strengthens it is the integration of threat intelligence security operations and Cyber policy and compliance under a single kind of cyber risk management governance framework And in doing so kind of elevated to use it an overly used phrase Elevated cyber security to the C-suite in this case the governor's office To raise awareness at that level To to ultimately To put to put decisions into action, right another really interesting concept that multiple states including us are experimenting with is kind of this this separation between the IT side of the house and The cyber security side of the house, right so establishing a governance model based on risk for Ultimately Reconciling the conflicts that always arise between technology professionals and security professionals Legislation can can really create some structure around that type of model But but I think what we're seeing play out at the state and local level right now is is experimental Practices and and you know, we'll see if if states start to put it into coming to ask you and our last question So what's next so in your answer to that? So I'm gonna follow on that and and tell you what's next so in addition to what Dave told us about How states look after their own security, of course states have a really important role in setting the context for Everyone who lives in their states and not just state cities as well And we're constantly reminded the Tom Fanning said himself Cyber security is actually often something that's delivered by the private sector So one of the things that we're going to be looking at and part of this project is sort of how states affect what they're wide Ecosystems and that includes sort of education. It includes workforce another of our programs opportunity at work is doing some great Work around the country to support the White House's tech higher initiative Which has a cyber security aspect to it and and there are other people out in the states, for example Regulators not many people realize that Insurance is regulated at the state level and that has potentially a really big interest in in sort of driving cyber security So going forward we are gonna do what think tanks do write reports But we also intend to get out in the states themselves partly so we can see what's going on and and Shine lights but also so we can take New America out into the states and run some events so As you we've heard partnership is part of what we do and therefore we're very interested in hearing from Anybody sort of outside of DC who feels they have a good story to tell and wants to work with us on some of these Really interesting issues great. You you anticipated my my closing. Yes that They my closing remarks, which was to everybody in this audience, but also people online on Twitter If you are involved in work at the local state and local level or accumulating that work we do want to know about it and Otherwise, I'm feeling a little better as a resident of New Jersey Although as you were talking about the governor's office all I can think was I was in New Jersey yesterday or Monday and The conversation all day was when Chris Christie would might ever come back to the governor's office But that was off-the-record political comments and we will now thank our Panel and turn it back over to our next event. Thank you. Thank you